While it's no surprise that the healthcare industry experiences breaches of sensitive information like any other sector, the revelation that on average more than one in ten have experienced serious data loss events recently may come as a shock. A new study found that 94% of the 80 health care organizations surveyed indicated they experienced an event that compromised confidential patient information in the last two years, and that the costs incurred from the breaches has risen to $2.4 million this year, up from the $2.2MM documented in 2011 and $2.1MM in losses from 2010.
The Third Annual Benchmark Study on Patient Privacy & Data Security study conducted by the Ponemon Institute at the request of breach consultancy ID Experts, found that the increased use of cloud computing options and file-sharing applications have contributed significantly to the problem of adequately securing patient healthcare records, but that 46% of the survey participants indicated it was lost or stolen devices by negligent employees that were the primary cause of breaches.
"Since 2010 the threats to healthcare organizations have become increasingly more difficult to control. Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure. Employee mistakes and negligence also continue to be a significant cause of data breach incidents. Another worry presented in this research is that sophisticated and stealthy attacks by criminals have been steadily increasing since 2010," the report states.
Key findings in the Poneman report include:
- 45 percent of respondents report that their organizations have experienced more than five data loss incidents in the last two years
- Data breaches costing organizations more than $500,000 have increased from 48% of healthcare organizations surveyed in 2010 to 57% in 2012
- Criminal attacks against healthcare networks have seen a sharp increase, up from 20% of organizations reporting a hacker breach in 2010 to 33% in 2012
- 81% of organizations surveyed permit employees and medical staff to use their own mobile devices (BYOD)
- 69 percent of organizations do not secure medical devices such as wireless heart pumps, mammogram imaging and insulin pumps which are vulnerable to attack
- 62% of organizations make moderate or heavy use of cloud services, and 47% are not confident that information in the cloud is secure
- 54%of organizations have little or no confidence that their organization has the ability to detect all patient data loss or theft
"Healthcare organizations need to strengthen their privacy and security posture if they are to reduce the number of data breaches occurring in their organizations. The findings suggest a low level of confidence in the ability to safeguard healthcare organizations from the mobility and BYOD risks as well as in being able to detect data breaches and medical identity theft," the report notes.
The study's authors recommend that healthcare organizations make an effort to have those in the position of ensuring security and privacy report directly to the board of directors, conduct security risk assessments annually, and implement strict access control measures for stored data.
The authors also suggest organizations should develop a comprehensive mobile device policy coupled with regular security awareness training for employees, as well as working with cloud services providers to ensure security and compliance needs are being properly addressed.